June 21, 20233 yr Right now there is no clean way to monitor the security on Unraid OS, I think is something critical since many people is publishing dockers to internet. It's not compatible with auditd or wazuh or elastic agents or similar solutions. Right now even easy projects like crowdsec are compatible with auditd so people can easily implement some monitoring or going more advance with wazuh or other tools make use of the sigma rules, wazuh, security onion, Qradar Community edition, etc. So the request at least is to have auditd official support which is the standard way to monitor linux OS, wazuh support would be awesome as well. https://slackbuilds.org/repository/15.0/system/audit/
November 2, 20232 yr I managed to enable the Linux Audit Framework for unRAID but unfortunately it requires rebuilding the kernel. It's a simple flag in the .config file when building and I don't think there is really any downside or performance hit to having it available since the package would still need to be installed to use it. I think it would be beneficial to enable this for unRAID as it open the door for a more community development. I'm working on one right now that would benefit greatly from being able to track file system changes. Edited November 6, 20232 yr by bobbintb
March 3, 20242 yr On 11/2/2023 at 11:01 AM, bobbintb said: I managed to enable the Linux Audit Framework for unRAID but unfortunately it requires rebuilding the kernel. @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice!
March 4, 20242 yr Author 9 hours ago, bland328 said: @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice! Someone told me that they might add auditd in 6.13. So I am waiting for it
March 4, 20242 yr The necessary options in the Kernel should be included in 6.13.x so that community developers can build a plugin around it.
March 4, 20242 yr Author 2 minutes ago, ich777 said: The necessary options in the Kernel should be included in 6.13.x so that community developers can build a plugin around it. Why it would need a plugin? To configure it via webui?
March 4, 20242 yr 16 minutes ago, L0rdRaiden said: Why it would need a plugin? To configure it via webui? Because you would also need some application to interact with it, so to speak audit itself and also to make the settings that you configure persistent across reboots.
March 12, 20242 yr On 3/3/2024 at 4:18 PM, bland328 said: @bobbintb, did you happen to use any particular guide to accomplish this? Or have one in mind that you recommend? I'm also in need of auditd support, and though I have many years of Linux experience, I have yet to build a custom kernel. Thanks for any advice! I did use a guide, or a least part of one. It will be included in version 6.13, as mentioned. I do have a compiled version on github: https://github.com/bobbintb/unRAID-audit But fair warning, I haven't looked at it in a while so I am not sure how out of date it is.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.